GitHub_MVULNRICHMENT:CVE-2024-45054CVE-2024-45054 Potential Permission Leakage of Cluster Level in hwameistor
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
5.1%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor’s deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role.
References
github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml
github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450
github.com/hwameistor/hwameistor/issues/1457
github.com/hwameistor/hwameistor/issues/1460
github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
5.1%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial